Legacy desktop applications --- the applications in use on most desktops today --- often process data from multiple untrusted sources. If an application makes a mistake when processing this data, the integrity of the application, and potentially the entire system, can be compromised. We introduce a new operating system primitive that enables an application running on a legacy OS to efficiently create unprivileged virtual machines when dealing with untrusted data. These virtual machines can then perform all of the complex operations needed to process and render the application's data. The resulting window content is transparently mapped into the window space of the application. Using this primitive, we built an evince-based PDF viewer that limits PDF exploits to controlling an unprivileged virtual machine with file access only to the PDF itself. We also built a WebKit-based web browser which limits browser exploits to controlling an unprivileged virtual machine with access solely to the contents of the tab in which the exploit occurred. We further show how a whole suite of desktop applications can use our new primitive to separate privileges when dealing with untrusted data. Moving recursively upwards, we can view the operating system itself as an application that needs privilege separation when dealing with untrusted data from multiple sources (i.e. the different applications it runs). We describe a prototype implementation of an operating system that manages its applications in this way.




Download Full History